Announcement Announcement Module
No announcement yet.
Mandating a secure channel for web services Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Mandating a secure channel for web services


    I have an application that presents a Web UI and a SOAP service. My
    SOAP service uses WS-Security to authenticate (i.e. NOT HTTP authentication), but must be restricted to only be accessed over HTTPS.

    I was planning to use the Spring Security <http>/<intercept-url> elements to control access to both of these, but am running into problems locking down access to the web service.

    I wanted to do something like

    <http path-type="regex">
    <intercept-url pattern="/myWebService" filters="none" requires-channel="https"/>
    <intercept-url pattern="/.*" requires-channel="https"/>
    <form-login />

    to allow forms-based login (via basic-auth) to the web UI, but no HTTP-based auth to the web service, and also to ensure that all SOAP requests must come in on a secure channel.

    Unfortunately this doesn't seem to work; it allows HTTP or HTTPS access to the web service.

    My guess is this is because the filters="none" directive is removing all filters from the list for that URL, including the channel filter that would have been set up by requires-channel="https".

    What I really want to say is that all filters are disabled with the exception of the channel filter, for the web service URL. How can I do that?